Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Felix configuration guide to include iptables lock file support. #935

Merged
merged 1 commit into from
Jul 20, 2017
Merged

Update Felix configuration guide to include iptables lock file support. #935

merged 1 commit into from
Jul 20, 2017

Conversation

fasaxc
Copy link
Member

@fasaxc fasaxc commented Jul 20, 2017

Description

Simplified version of #902 reflecting that we're disabling the lock file by default. Doesn't include the manifest changes.

Todos

  • Tests
  • Documentation
  • Release note

Release Note

Felix now (optionally) acquires the iptables lock while manipulating iptables.  This prevents 
conflicts with other applications, such as kube-proxy (as long as they also honor the lock).  
Upgrade note: to be effective if Felix is running in a container, this feature requires the 
directory containing the iptables lock file, "/run/", to be mounted into the container.

@fasaxc fasaxc added the release-note-required Change has user-facing impact (no matter how small) label Jul 20, 2017
@fasaxc fasaxc mentioned this pull request Jul 20, 2017
Closed
3 tasks
@fasaxc fasaxc changed the title Update Felix configuration guide to include iptable lock file support. Update Felix configuration guide to include iptables lock file support. Jul 20, 2017
@fasaxc fasaxc requested a review from nelljerram July 20, 2017 09:41
nelljerram
nelljerram requested changes Jul 20, 2017
View reviewed changes
Copy link
Member

@nelljerram nelljerram left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a couple of nits.

master/reference/felix/configuration.md Outdated
| MaxIpsetSize | FELIX_MAXIPSETSIZE | 1048576 | Maximum size for the ipsets used by Felix to implement tags. Should be set to a number that is greater than the maximum number of IP addresses that are ever expected in a tag. |
| IptablesLockTimeoutSecs | FELIX_IPTABLESLOCKTIMEOUTSECS | 0 (disabled) | Time, in seconds, that Felix will wait for the iptables lock, or 0, to disable. To use this feature, Felix must share the iptables lock file with all other processes that also take the lock. When running Felix inside a container, this requires the /run directory of the host to be mounted into the calico/node or calico/felix container. |
| IptablesLockFilePath | FELIX_IPTABLESLOCKFILEPATH | /run/xtables.lock | Location of the iptables lock file. You may need to change this if the lock file is not in its standard location (for example if you have mapped it into Felix's container at a different path). |
| IptablesLockProbeIntervalMillis | FELIX_IPTABLESLOCKPROBEINTERVALMILLIS | 50 | Time, in milliseconds, that Felix will wait between attempts to acquire the iptables lock if it is not available. Lower values make Felix more responsive when the lock is contended but use more CPU. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a comma is needed before "but".

master/reference/felix/configuration.md Outdated
| IptablesMarkMask | FELIX_IPTABLESMARKMASK | 0xff000000 | Mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. |
| IptablesRefreshInterval | FELIX_IPTABLESREFRESHINTERVAL | 60 | Period, in seconds, at which felix re-applies all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh. |
| IptablesRefreshInterval | FELIX_IPTABLESREFRESHINTERVAL | 90 | Period, in seconds, at which felix re-checks all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh. |
| IptablesPostWriteCheckIntervalSecs | FELIX_IPTABLESPOSTWRITECHECKINTERVALSECS | 1 | Period, in seconds, after Felix has done a write to the dataplane that it schedules an extra read back in order to check the write was not clobbered by another process. This should only occur if another application on the system doesn't respect the iptables lock. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make Felix capitalization consistent? (I have a slight preference for "Felix", but am more concerned overall that we are consistent.)

@fasaxc fasaxc force-pushed the ipt-lock-disable branch from 8ad7b76 to 44cd7f9 Compare July 20, 2017 10:19
@fasaxc fasaxc merged commit 5164a06 into projectcalico:master Jul 20, 2017
@fasaxc fasaxc deleted the ipt-lock-disable branch July 20, 2017 10:30
@caseydavenport caseydavenport mentioned this pull request Jul 25, 2017
Merged
3 tasks
@caseydavenport caseydavenport added this to the Calico v2.4.0 milestone Jul 31, 2017
@caseydavenport caseydavenport mentioned this pull request Jul 31, 2017
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nelljerram nelljerram nelljerram requested changes

Assignees
No one assigned
Labels
release-note-required Change has user-facing impact (no matter how small)
Projects
None yet
Milestone
Calico v2.4.0
Development

Successfully merging this pull request may close these issues.
3 participants
@fasaxc @nelljerram @caseydavenport